Google testing new login system: your phone is your authentication
We’re always looking at three main ways to authenticate users when it comes to security: things they know, things they have, and things they are. In practice, that breaks down to passwords, objects like keys or devices, and biometrics, respectively. As we try to figure out the ideal balance between security, convenience, and flexibility, we’re frequently juggling the interaction between those tree types of authentication – and often combining two or more. Now Android users may soon have a new way to help them easily access their Google accounts across devices, as the company appears to be testing a new phone-based login system.
A user on Reddit shares the evidence for what looks to be an early test run of this new system. Google links your account to an Android phone on which you’re already signed in, one that also needs to have a secure lockscreen – like the new Android Pay, users who don’t want a lockscreen on their phone appear out of luck. Then whenever you attempt to access a Google service on another device, you’ll get a notification on your phone that asks you to approve or deny access.
In practice, it sounds a bit like traditional SMS-based two-factor authentication, only here you’re not asked to enter your main Google password on new devices in the first place (perhaps a benefit when you don’t necessarily trust the system you’re working on), and this new system seems to support data-only devices without a cell connection.
When you don’t have your phone on you or your battery’s dead, you can always fall back to a standard password login, and Google may request additional authentication steps if its servers ever get the sense that something fishy’s going on.
Right now there’s no word from Google on when we might hope to see this system extend to greater availability.